[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Sat Nov 10 19:12:24 MST 2012 

On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> >>>> be a particular trigger - but it shouldn't be able to make a
> >>>> modification that doesn't go via vfs_acl_xattr.
> >>>>
> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
> >>>> level 10 on samba-tool ntacl sysvolcheck):
> >>>>
> >>>> get_nt_acl_internal: blob hash matches for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>>>
> >>>> then after, he gets:
> >>>>
> >>>> get_nt_acl_internal: blob hash does not match for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck.  It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> >
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> >
> > Jeremy.
> Ok I have some additional info.
> 
> Using the GPMC I cannot create new GPOs. I get the message: "This 
> security ID may not be assigned as the owner of this object"
> 
> If I use samba-tool gpo create I get the following:
> 
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
> CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 952, in run
>      self.samdb.add(m)
> 
> If I supply administrator as username I get:
> 
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734, 
> 'NT_STATUS_INVALID_OWNER')
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 987, in run
>      conn.set_acl(sharepath, fs_sd, sio)
> 
> However this time it has successfully created the GPO. (GPMC still 
> throws the same warnings about inconsistent ACLs).
> 
> bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
> bin/samba-tool gpo create "SMC Students" -U administrator -d 10: 
> http://pastebin.com/8kkVEy7V
> 
> I would hazard a guess and say the GPMC error (when creating a GPO) is 
> the same error as the samba-tool error.

Jeremy,

You said earlier in the thread that you were going to look into this.
I'll continue to try and find angles on this, but did you get anywhere
with sorting out Alex's issues?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list